Webmail Phishing 27971b3a

Detects a phishing kit impersonating Webmail.

References

https://urlscan.io/result/27971b3a-f9f4-44ea-9df6-b3af1e386048/
https://urlscan.io/search/#filename%3A%22evergageSmall.min.js.download%22

IOK Rule (edit)

title: Webmail Phishing 27971b3a
description: |
  Detects a phishing kit impersonating Webmail.
  
references:
  - https://urlscan.io/result/27971b3a-f9f4-44ea-9df6-b3af1e386048/
  - https://urlscan.io/search/#filename%3A%22evergageSmall.min.js.download%22
  
detection:

  imageAssets:
    requests|endswith|all: 
      - "/images/logo_1.png"
      - "/images/logo_2.png"
    
  randomString:
    html|contains: 'bis_register="W3sibWFzdGVyIjp0cnVlLCJleHRlbnNpb25JZCI6ImVwcGlvY2VtaG1ubGJoanBsY2drb2ZjaWllZ29tY29uIiwiYWRibG9ja2VyU3RhdHVzIjp7IkRJU1BMQVkiOiJlbmFibGVkIiwiRkFDRUJPT0siOiJlbmFibGVkIiwiVFdJVFRFUiI6ImVuYWJsZWQiLCJSRURESVQiOiJkaXNhYmxlZCJ9LCJ2ZXJzaW9uIjoiMS45LjAzIiwic2NvcmUiOjEwOTAzMH1d"'
  
  condition: imageAssets and randomString